Australia, New Zealand Still Mulling Data Breach Laws

Breach Notification , Data Breach , Legislation

Both Nations Have Committed to Strengthening Notification Requirements Australia, New Zealand Still Mulling Data Breach Laws

Neither Australia nor New Zealand has laws requiring organizations to notify people affected by data breaches, but officials in both countries are reviewing proposals and plan to introduce related legislation.

See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers

Regulators in both countries now generally encourage organizations to report breaches depending on the type of information released and the potential impact. But what constitutes a serious breach could be open to interpretation - a gap that both nations hope to close with new legislation.

New Zealand's Privacy Act

In 2011, New Zealand's Law Commission completed a five-year study of the country's Privacy Act, which went into effect in 1993. The review was launched over concerns and warnings that the law wasn't keeping up with the pace of technology changes.

One of the commission's key recommendations is that people should be notified of serious security breaches. The government went so far as to say that the best course of action would be to repeal the existing Privacy Act then re-enact it with various critical updates included.

In May 2014, then-Justice Minister Judith Collins said the government would introduce a targeted technical consultation on proposals before a bill was introduced to Parliament.

The proposals included requiring organizations to report data breaches to the privacy commissioner and to notify individuals in what are considered "serious" cases.

The mandatory reporting requirement would have two tiers. Under the first tier, which covers less serious breaches, organizations would be required to report "material" breaches, a calculation that takes into account the information leaked, number of people affected and if the lapse is part of a systemic problem.

A tier-two breach is more serious. In that case, organizations would have to take reasonable steps to notify the commissioner if there is a real risk of harm, such as loss, injury, significant humiliation or adverse effects on rights or benefits.

Failing to notify the privacy commissioner of a data breach would trigger a fine of up to NZ$10,000 ($6,750). Another proposal was to give the privacy commissioner new powers, including the ability to issue compliance notices, as well as stronger authority to investigate suspected privacy problems.

Two years later, however, there is still no new law on the books. But current Justice Minister Amy Adams said earlier this month that she intends to implement the reforms identified by the Law Commission and "modernize" the Privacy Act.

"I intend to release an exposure draft of the new Privacy Bill before the end of 2016 for targeted consultation," she said in a speech to the Wellington Privacy Forum on May 11. "This will provide an opportunity for privacy experts to comment on whether the draft bill implements the government's privacy reforms in a way that is clear, accessible and user-friendly." She plans to then introduce the bill in New Zealand's Parliament next year.

"These reforms will incentivize private entities and public sector agencies to value early identification and prevention of privacy risks that could cause harm," she said.

Australian Information Commissioner Guidelines

In Australia, there has been significant public support for some type of data breach notification requirement, according to a recent analysis by the law firm Corrs Chambers Westgarth. The Labor government introduced draft bills in 2013 and 2014, but a law never made it on the books.

Governments are generally reluctant to impose new regulations on businesses, says attorney Gordon Hughes, a partner with the Melbourne-based law firm Davies Collison Cave, who specializes in technology and data protection.

"Certainly there is resistance from the commercial sector to any form of significant mandatory data breach reporting obligation," Hughes tells Information Security Media Group. "A bank doesn't want to advertise to the world that their information has been compromised."

Currently, the Office of the Australian Information Commissioner recommends that breached organizations inform both the OAIC and those affected by a breach if there is a "serious risk of harm." The OAIC says organizations should consider what kind of personal information was breached, the cause and extent of the breach, as well as what harm individuals could experience, when assessing whether it's serious.

The OAIC's guidelines note, for example, that Australian Medicare numbers, driver's license details, health or financial information such as payment card numbers "might pose a greater risk of harm to an individual than their name or address."

It adds: "A combination of personal information typically creates a greater risk of harm than a single piece of personal information."

But while those might be the OAIC's recommendations, under current Australian law, organizations are under no obligation to notify consumers or the OAIC if they've been breached.

Australia: Support for Breach Legislation

But there's support from Australia's ruling Liberal Party to push ahead. In March, the government concluded a public consultation on the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, which would amend the country's Privacy Act of 1988 to incorporate a mandatory reporting requirement.

The notification requirement would apply to federal government agencies and private organizations with an annual turnover exceeding AU$3 million ($2.2 million). It also applies to foreign companies that deal directly with Australian consumers or process information on behalf of Australian businesses.

"The implications for Australian businesses (and foreign businesses conducting business in Australia) are likely to be significant and far-reaching," write Philip Cantania, partner, and Tim Lee, senior associate, both of Melbourne-based law firm Corrs Chambers Westgarth. "Australian companies that use offshore data processing services are particularly likely to be impacted."

Serious or repeated breaches could be subject to civil penalties up to AU$1.7 million ($1.2 million). Organizations would have 30 days to determine if a breach meets the reporting threshold.

Experts expect to see no action on the legislation until after Australia holds a federal election on July 2. Hughes said the issue of data protection hasn't even come up in current campaigns.

"Privacy is not a big vote winner," he said. "People just don't get excited about it."